S0127: BBSRAT
Analyst context for executives and security teams
BBSRAT is a Windows remote access malware family associated in ATT&CK with targeted compromises. Its mapped behaviors matter because they span more than initial malware presence: persistence through Windows services, Run keys, startup folders, and COM hijacking; stealth through process hollowing, DLL abuse, deletion, and decoding; discovery of services, processes, files, and directories; collection staging through archiving; and command-and-control over web protocols with symmetric cryptography. For leaders, this means readiness should be judged by whether endpoint, identity, network, and incident response teams can connect these behaviors into an intrusion story, not just detect a single malicious file.
Executive priority
Prioritize BBSRAT as a validation case for Windows enterprise resilience against remote access malware with persistence and stealth behaviors. The business question is whether SOC and IR teams can prove visibility into service creation/execution, registry-based persistence, COM-related changes, suspicious process injection patterns, file discovery and cleanup, and outbound web-based command-and-control. This supports control investment decisions, incident containment planning, and audit evidence around endpoint monitoring, privileged activity, and malware response readiness.
Technical view
ATT&CK provides no standalone detection text for BBSRAT, so defenders should validate coverage through the related techniques. On Windows, focus on correlations across service discovery and service execution, new or modified Windows services, Registry Run keys and startup folder changes, COM hijacking indicators, process hollowing-style behavior, DLL abuse, process and file/directory discovery, file deletion, deobfuscation or decoding activity, local archiving via libraries, and outbound web protocol traffic that may be additionally protected with symmetric cryptography. Treat single events cautiously; the higher-value detection path is sequencing persistence, discovery, stealth, and command-and-control behaviors on the same host or user context.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation, modification, start, and service control manager activity
- Windows Registry telemetry for Run keys, service configuration, and COM-related changes
- Startup folder file creation or modification events
- Endpoint memory/process behavior telemetry relevant to process hollowing or injection
Detection direction
- Validate that detections are mapped to the related ATT&CK techniques rather than relying on a BBSRAT-specific signature, because official ATT&CK detection guidance is not provided.
- Correlate persistence events such as Windows service creation, Registry Run keys, startup folder changes, and COM-related registry changes with later service execution or suspicious child processes.
- Tune discovery detections for service, process, file, and directory enumeration by unusual users, unusual parent processes, or activity occurring shortly after persistence creation.
- Hunt for stealth combinations such as process hollowing indicators, unusual DLL loading, deobfuscation or decoding behavior, and follow-on file deletion on the same endpoint.
- Review outbound web protocol traffic from hosts showing persistence or discovery behaviors; encrypted or encoded command-and-control may limit content inspection, so metadata, destination reputation, timing, and process-to-network linkage are important.
Mitigation priorities
- Harden Windows persistence surfaces first: restrict who can create or modify services, write to autorun locations, alter startup folders, or change COM-related registry paths.
- Apply least privilege and administrative control review so ordinary users and service accounts cannot unnecessarily install services or modify persistence locations.
- Ensure endpoint protection and logging are configured to capture process creation, service activity, registry changes, DLL loads, file operations, and network process attribution.
- Use egress controls, proxy monitoring, and DNS/web logging to reduce and investigate unauthorized outbound web protocol communications from endpoints.
- Maintain incident response playbooks for remote access malware that include host isolation, persistence review, service and registry triage, file system cleanup validation, and network scoping.
Analyst notes and limits
This take is based on the ATT&CK software object for BBSRAT and its supplied relationships to techniques including System Service Discovery, Process Hollowing, Process Discovery, File Deletion, Web Protocols, File and Directory Discovery, Deobfuscate/Decode Files or Information, Windows Service, COM Hijacking, Registry Run Keys/Startup Folder, Archive via Library, Service Execution, Symmetric Cryptography, and DLL abuse. The object supports Windows as the platform for BBSRAT; several related techniques list broader platforms, but defensive prioritization here should remain Windows-centered unless local evidence expands scope.
ATT&CK does not provide official detection guidance, aliases, tactics, or detailed procedure text in the supplied object. The external reference identifies a Palo Alto Networks report, but no additional claims beyond the supplied citation are used here. Local environment telemetry, baselines, and confirmed BBSRAT indicators are required before assessing exposure, exploitation, attribution, or detection coverage.
BBSRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1560.002 | Archive via Library Sub-technique | BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location |
| Enterprise | T1007 | System Service Discovery | BBSRAT can query service configuration information.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1569.002 | Service Execution Sub-technique | BBSRAT can start, stop, or delete services.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList |
| Enterprise | T1083 | File and Directory Discovery | BBSRAT can list file and directory information.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1070.004 | File Deletion Sub-technique | BBSRAT can delete files and directories.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1543.003 | Windows Service Sub-technique | BBSRAT can modify service configurations.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1057 | Process Discovery | BBSRAT can list running processes.CitationPalo Alto Networks BBSRAT |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.CitationPalo Alto Networks BBSRAT |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 7b490ac8c244… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Networks BBSRAT
Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
Open source URL -
[2]
mitre-attack S0127Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.